From Fedora Project Wiki
(moving details to the back...)
m (internal link cleaning)
 
(23 intermediate revisions by 2 users not shown)
Line 11: Line 11:


* [http://www.nsa.gov/selinux/ National Security Agency]
* [http://www.nsa.gov/selinux/ National Security Agency]
* Russell Coker: <http://www.coker.com.au/selinux/> and <http://www.linuxjournal.com/article/9408>.
* Russell Coker: <http://www.coker.com.au/selinux/>, [http://www.linuxjournal.com/article/9408 Multi-Category Security in SELinux in Fedora Core 5], <http://www.coker.com.au/selinux/talks/auug-2005/auug2005-paper.html>
* James Morris: [http://namei.org/ols-2008-selinux-paper.pdf Have You Driven an SELinux Lately?]
* James Morris: [http://namei.org/ols-2008-selinux-paper.pdf Have You Driven an SELinux Lately?], [http://james-morris.livejournal.com/5020.html An Overview of Multilevel Security and LSPP under Linux].
* [http://selinux-symposium.org/ SELinux Symposium and Developer Summit]
* [http://selinux-symposium.org/ SELinux Symposium and Developer Summit]
* [http://docs.fedoraproject.org/selinux-apache-fc3/ Fedora Core 3: Understanding and Customizing the Apache HTTP SELinux Policy (Beta Document)]
* [http://www.redhat.com/magazine/001nov04/features/selinux/ What is Security-Enhanced Linux?]
* [http://www.redhat.com/magazine/001nov04/features/selinux/ What is Security-Enhanced Linux?]
* [https://www.redhat.com/training/security/courses/rhs429.html RHS429 course].
* [https://www.redhat.com/training/security/courses/rhs429.html RHS429 course].
Line 20: Line 21:
* [http://gentoo-wiki.com/HOWTO_Understand_SELinux Gentoo Wiki HOWTO Understand SELinux]
* [http://gentoo-wiki.com/HOWTO_Understand_SELinux Gentoo Wiki HOWTO Understand SELinux]
* [http://oss.tresys.com/projects/refpolicy SELinux Reference Policy]
* [http://oss.tresys.com/projects/refpolicy SELinux Reference Policy]
* [http://www.cs.stthomas.edu/faculty/resmith/r/mls/index.html Introduction to Multilevel Security, Dr. Rick Smith].
* Red Hat Enterprise Linux 5 Deployment Guide:
* Red Hat Enterprise Linux 5 Deployment Guide:
** [http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/rhlcommon-chapter-0017.html End User Control of SELinux].
** [http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/rhlcommon-chapter-0017.html End User Control of SELinux].
* [http://docs.fedoraproject.org/selinux-faq-fc5/ Fedora Core 5 SELinux FAQ]
* [[SELinux/FAQ|Fedora SELinux/FAQ]]
* Red Hat Enterprise Linux 4 SELinux Guide: [http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/selg-part-0062.html Working with SELinux].
* Red Hat Enterprise Linux 4 SELinux Guide: [http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/selg-part-0062.html Working with SELinux].
* Mailing lists: <selinux@tycho.nsa.gov> and <fedora-selinux-list@redhat.com>.
* Mailing lists: <selinux@tycho.nsa.gov> and <fedora-selinux-list@redhat.com>.
Line 32: Line 36:
* [http://www.redhatmagazine.com/2008/07/02/writing-policy-for-confined-selinux-users Confining Users.]
* [http://www.redhatmagazine.com/2008/07/02/writing-policy-for-confined-selinux-users Confining Users.]
* [http://www.niap-ccevs.org/cc-scheme/st/st_vid10286-vr.pdf Common Criteria Evaluation and Validation Scheme Validation Report]
* [http://www.niap-ccevs.org/cc-scheme/st/st_vid10286-vr.pdf Common Criteria Evaluation and Validation Scheme Validation Report]
* [http://www.redhatmagazine.com/2008/02/26/risk-report-three-years-of-red-hat-enterprise-linux-4/ Risk report: Three years of Red Hat Enterprise Linux 4]
* [http://www.tresys.com/innovation.php Tresys (Mitigation News).]
* [http://www.nsa.gov/selinux/papers/freenix01/freenix01.html Integrating Flexible Support for Security Policies into the Linux Operating System.]
* [http://www.nsa.gov/selinux/papers/ottawa01/index.html Meeting Critical Security Objectives with Security-Enhanced Linux.]


=== Purpose of the Documentation ===
=== Purpose of the Documentation ===
Line 49: Line 57:
=== What the Documentation Covers (in no particular order, and subject to change) ===
=== What the Documentation Covers (in no particular order, and subject to change) ===
* [[Docs/Drafts/SELinux User Guide/Previous TOC Ideas| Previous TOC Ideas]]
* [[Docs/Drafts/SELinux User Guide/Previous TOC Ideas| Previous TOC Ideas]]
* [[Docs/Drafts/SELinux User Guide/Draft TOC| Draft table of contents.]]
From the current [http://selinuxproject.org/page/Documentation_TODO SELinux documentation todo list]:
From the current [http://selinuxproject.org/page/Documentation_TODO SELinux documentation todo list]:
* "Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information".
* "Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information".
Line 59: Line 66:


-----------------------------------------
-----------------------------------------
'''The following is a draft, and may contain spelling mistakes:'''


'''SELinux Introduction:'''
'''SELinux Introduction:'''
* What SELinux can do
* What SELinux can not do
* Performance Impact (from running SELinux)
* "A brief high-level user-oriented overview of SELinux which people can use to understand what SELinux does, how it's part of a defense in depth approach, the value it provides and what is involved in using it effectively (e.g. set expectations of benefit/cost).": <http://selinuxproject.org/page/Documentation_TODO>
* Policy overview <http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/rhlcommon-chapter-0001.html> (SELinux framework enforces the policy, hooks in the kernel, and so on)
* Example (compare to a submarine with compartments, if one has leaked, the water does not leak to the next compartment, and the submarine does not sink)
* Example: Apache server has been compromised, but can not interact with other services, or read anything that is not labeled httpd_sys_content_t
* Other Distributions (enabled by default on Fedora, not by default on Debian? (<http://wiki.debian.org/SELinux>))


'''SELinux Basics:'''
* Brief overview.
* If you do not do anything else with SELinux at least do these things...
* What SELinux can and can't do.
* Examples to explain how SELinux works (e.g., Apache HTTP).


'''SELinux Contexts and Attributes:'''
'''SELinux Contexts and Attributes:'''
* The SELinux Security Context Tuple
* SELinux Users
* SELinux Role (attribute of Role Based Access Control)
* Type Attributes (attribute of Type Enforcement)
* Categories (attribute for security level enforcement (MLS), or category enforcement (MCS))


'''Subjects and Objects:'''
* Brief overview of objects, subjects, and object classes.
* Objects on a Linux system (files, sockets, interfaces, and so on (<code>ls -lZ</code>, <code>ls --scontext</code>, <code>ls --lcontext</code>, <code>secon</code>)
* Explain each part of SELinux labels.
* Subjects on a Linux system (processes (<code>ps auxZ</code>, <code>ps -ZC [command-name]</code>), and also that processes are represented as objects in /proc/)
* Classes and Attributes (Example file object class and attributes: file read, dir write, etc. These are statically defined
in the Linux kernel; however, users can assign types to subjects and objects, as well as defining a policy for these types, so that these types can interact using object classes and their attributes supplied by the Linux kernel)
* Domain Type (attribute of a process, user_t (user) domain type of "user")
* Object Type (attribute of an object or file. Do not mistake files with file objects/file types. A file is any object)


'''Working with SELinux'''
'''Targeted Policy Overview:'''
* Installing (selinux-policy-*) and Upgrading SELinux packages (missing SELinux users, upgrade problems on systems not running SELinux initially, required packages for other policies, MLS, MCS, etc. mcstransd is not installed by default on Fedora 9)
 
* Important Files (<code>/etc/selinux/</code>, <code>/selinux/</code>)
* Confined and Unconfined processes.
* Enabling and Disabling SELinux (is it enabled, temporarily and permanently turn it on and off, kernel boot options, etc, <code>sestatus</code> (reads from <code>/etc/selinux/config</code>), <code>setenforce</code>, <code>getenforce</code>)
* Confined system and user domains.
* Introduction to Tool and Commands (semanage, system-config-selinux, restorecon, etc.)
 
* semanage
'''Working with SELinux:'''
** system-config-selinux (GUI for <code>semanage</code>)
 
** Booleans (allow you to configure certain parts of policies without recompiling, <code>semanage boolean</code>, also mention <code>getsebool -a</code> and <code>setsebool -P</code>. Mention man pages for targeted booleans)
* Installing and Upgrading packages.
** Labeling Files and Objects (<code>semanage fconnect -a</code>, <code>semanage</code> Vs <code>chcon</code>)
* Configuration Files.
** Labeling Ports and Objects (<code>semanage port -a</code>, and how to close ports)
* Enable and Disable SELinux.
** Explain each option: setting booleans, adding users, translations.
* semanage: booleans, labeling files, adding users, translations.
** Translations and mcstransd (required mcstransd, examples from domg472)
* Managing and Maintaining SELinux Labels.
** restorecond and <code>fixfiles</code>
* Managing and Maintaining SELinux Labels
** Viewing Labels (ls -lZ)
** Copying Vs Moving files (how it effects the SELinux context, moving files from one machine to another, eg, SSH authorized_keys file)
** <code>rpm</code>
** <code>star</code> and <code>tar</code>
** <code>mkdir</code>, for example, <code>mkdir -Z selinuxuser:role:type directory-name</code>
** Mislabeled Files
** Relabeling an File System (/tmp will not be relabeled: <http://domg444.blogspot.com/2007/11/why-files-with-incompatible-types-in.html >. <code>touch /.autorelabel; reboot</code> easy, but should use <code>restorecon -R -v /path/to/file</code>, followed by <code>restorecon -R -v /topleveldirectory-tofile</code>)
** Problems running in Permissive mode (allowed to use mislabeled files, change labels freely, etc)
* Mounting (mnt_t, booleans, override contexts with mount command: <http://selinuxproject.org/page/Documentation_TODO>
* Using <code>newrole</code> to...and newrole Vs sudo.


'''Managing Users:'''
'''Managing Users:'''
* Linux and SELinux user accounts (mappings, <code>semanage login -l</code>
and <code>semanage user -l</code>, <code>usermod -Z</code>, <code>useradd -Z</code>)
* Users Categories (xguest, user_u, staff_u, etc)
* Adding a Confined User
* Adding an Unconfined User
* Modifying Existing Users (<code>usermode -Z</code>, <code>semanage login -m</code>)


'''Working with System Services:'''
* Linux and SELinux user account mappings.
( link to man page for each, eg httpd_selinux(8) )
* Adding confined and unconfined users.
* Transitions (maybe use httpd as an example)
* Modifying existing users.
* Apache (contexts, sharing files to samba (public_content_t,
 
public_content_rw_t, then maybe <code>setsebool -P
'''System Services:'''
allow_smbd_anon_write=on</code>, using a different port, etc)
 
* NFS
* Examples, sharing content between services.
* Samba
* BIND (contexts to write to log files, read configuration files, and so on)


'''SELinux Log Files and Denials:'''
'''SELinux Log Files and Denials:'''
* auditd and syslog (where are log files kept: /var/log/audit/audit.d and /var/log/messages)
* Controlling where Log files are written to?
* <code>sealert -l \*</code> and setroubleshootd (advantages, limitations, and
how they relate to audit.d Not running X, use setroubleshoot-server)
* searching log files (<code>/sbin/ausearch -m avc -ts today | grep search |
head -n 1</code>, <code>semanage -l \*</code>. ausearch for common name (-c),
certain hostname (-h), auditctl, aureport, ausearch, and setools-console)
* What to check after a Denial/ Questions to ask when a denial occurs.
* What if there are no denials, but actions are denied?
** dontaudit, is DAC denying access?
* Interpreting AVC Denials (refer todo item: <http://selinuxproject.org/page/Documentation_TODO>)
* audit2allow
* audit2why
* Are SELinux log files too large? (size of logs in permissive mode Vs enforcing.)
* Asking for help (the information an SELinux guru needs to help solve your problem)


'''Access Control:'''
* auditd and setroubleshoot.
* Discretionary Access Control (DAC)
* Searching log files (ausearch).
* Mandatory Access Control (MAC)
* Interpreting AVC Denials.
* Multi-Level Security (MLS)
* sealeart -l \*
* Mutli-Category Security (MCS)
* What to check for after a denial (DAC permissions...)
* Type Enforcement (TE)
* audit2allow and audit2why.
* Role Based Access Control (RBAC)


'''Targeted Policy Overview:'''
'''Access Control'''
<http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/sec-sel-policy-targeted-oview.html>
 
* Concepts of DAC, MAC, Type Enforcement®, etc.
 
'''Working with MCS and MLS'''


'''Working with MCS and MLS:'''
* Examples from domg472.
* Overview: <http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/sec-mcs-getstarted.html>, <http://www.linuxjournal.com/article/9408>
* refer to domg472 examples
* <http://www.linuxjournal.com/article/9408>
* managing MCS and MLS translations


= Project Plan =
= Project Plan =


== Schedule ==
== Schedule ==
Updated 30 September 2008 to reflect slip in Fedora 10 schedule.


==='''Information Plan:''' July 14 -> July 24 (9 days)===
==='''Information Plan:''' July 14 -> July 24 (9 days)===
Line 179: Line 133:
* Phase review: subject matter experts approve the plan or request modifications to content.
* Phase review: subject matter experts approve the plan or request modifications to content.


==='''Implementation:''' August 15 -> October 8 (39 days)===
==='''Implementation:''' August 15 -> November 8 (70 days) ===
Designs for style, prototype sections, first, second, and approved drafts, weekly and monthly reports sent to <selinux@tycho.nsa.gov>.
Designs for style, prototype sections, first, second, and approved drafts, weekly reports sent to <selinux@tycho.nsa.gov>.


==='''Localization and Production:''' October 9 -> October 28 (14 days)===
==='''<strike>Localization and</strike> Production:''' November 16 -> November 24 (9 days)===
Translation, preparing final copies/PDFs.
<strike>Translation</strike>, preparing final copies/PDFs.


==='''Evaluation:''' October 29 -> October 30 (1 day)===
==='''Evaluation:''' <strike>October 29 -> October 30 (1 day)</strike>===
* Evaluate the project.
* Evaluate the project.
* Plan maintenance cycles.
* Plan maintenance cycles.
* Plan next release.
* Plan next release.
= Risks =
Too many Red Hat Enterprise Linux errata :(


= Subject Matter Experts =
= Subject Matter Experts =
Line 200: Line 150:
* domg472
* domg472
* Russell Coker
* Russell Coker
* Steven Smalley
* Stephen Smalley
* Karl MacMillan
* Karl MacMillan
* Joshua Brindle
* Joshua Brindle
* Christopher J. PeBenito
* Christopher J. PeBenito
[[Category:SELinux docs]]

Latest revision as of 13:50, 18 September 2016

Phase 1: Information Planning

Deliverables and Milestones

  • Information Plan: documents findings after the initial investigation is complete. Generates an idea about where the project is heading, and what it requires.
  • Project Plan: an estimation of the time and resources required to complete the project.

Information Plan

Information Sources

Purpose of the Documentation

  • Provide a short, simple introduction to access control (MAC, MLS, MCS), and SELinux.
  • Use examples to describe how SELinux operates (such as Apache HTTP server not reading user_home_t files).
  • Give users information needed to do what they want without turning SELinux off.
  • From the current SELinux documentation todo list, "Translate danwalsh.livejounal.com in to a beginner user guide".

Audience

  • Familiar with using a Linux computer and a command line.
  • No system administration experience is necessary; however, content may be geared towards system administration tasks.
  • No previous SELinux experience.
  • People who are never going to write their own SELinux policy.

What the Documentation Covers (in no particular order, and subject to change)

From the current SELinux documentation todo list:

  • "Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information".
  • Document Confined Users".
  • "Update FC5 FAQ".
  • "Document the use of the mount command for overriding file context".
  • "Describe Audit2allow and how it can just Fix the machine".
  • "Update and organize the Fedora SELinux FAQ".

SELinux Introduction:

  • Brief overview.
  • What SELinux can and can't do.
  • Examples to explain how SELinux works (e.g., Apache HTTP).

SELinux Contexts and Attributes:

  • Brief overview of objects, subjects, and object classes.
  • Explain each part of SELinux labels.

Targeted Policy Overview:

  • Confined and Unconfined processes.
  • Confined system and user domains.

Working with SELinux:

  • Installing and Upgrading packages.
  • Configuration Files.
  • Enable and Disable SELinux.
  • semanage: booleans, labeling files, adding users, translations.
  • Managing and Maintaining SELinux Labels.

Managing Users:

  • Linux and SELinux user account mappings.
  • Adding confined and unconfined users.
  • Modifying existing users.

System Services:

  • Examples, sharing content between services.

SELinux Log Files and Denials:

  • auditd and setroubleshoot.
  • Searching log files (ausearch).
  • Interpreting AVC Denials.
  • sealeart -l \*
  • What to check for after a denial (DAC permissions...)
  • audit2allow and audit2why.

Access Control

  • Concepts of DAC, MAC, Type Enforcement®, etc.

Working with MCS and MLS

  • Examples from domg472.

Project Plan

Schedule

Updated 30 September 2008 to reflect slip in Fedora 10 schedule.

Information Plan: July 14 -> July 24 (9 days)

Deliverables: Information Project Plans

Content Specification: July 25 -> August 14 (15 days)

Deliverables:

  • Individual publications that are planned for the final document. These publications are done on the Wiki. This occurs after extensive research into topics.
  • Table of contents.
  • Phase review: subject matter experts approve the plan or request modifications to content.

Implementation: August 15 -> November 8 (70 days)

Designs for style, prototype sections, first, second, and approved drafts, weekly reports sent to <selinux@tycho.nsa.gov>.

Localization and Production: November 16 -> November 24 (9 days)

Translation, preparing final copies/PDFs.

Evaluation: October 29 -> October 30 (1 day)

  • Evaluate the project.
  • Plan maintenance cycles.
  • Plan next release.

Subject Matter Experts

  • Daniel Walsh
  • James Morris
  • Eric Paris
  • domg472
  • Russell Coker
  • Stephen Smalley
  • Karl MacMillan
  • Joshua Brindle
  • Christopher J. PeBenito